#I don't think anyone can give you an

Let's talk here?

So yeah, I realize the implications, running the game server side would probably prevent 99.9% of cheats, I'm sure some ppl will find some way to still cheat though.

My game is fairly simple, and I think implementing cheat-detection will be fairly simple too, so I can ban people. Not sure if hardware bans are possible? It's a Steam game.

But I honestly know very little about anti-cheat so not sure what to predict.

I do know that as soon as I put out the first aplha version, I got a Cheat Engine user in my Discord bragging about their stats ...
I've used Cheat Engine a little myself, so I understand the basics of it. That would be super easy to detect.

Preventing cheating is a whole different story though?

Running the game client side has big pros too though. It would simplify the development by a ton. It would reduce the huge costs of the server.

Like I feel that if I actively add new cheat-detection methods, say like once a month, it would be very hard to cheat undetected in my game?

As long as the client is authoritative, you're going to have cheaters. Adding more and more anti-cheat detection methods isn't going to cut it, how many ways can you think of to prevent players from just spawning in a weapon when you don't know if they've done all the required things to find one

I could write a simple function that sends the amount of items a player holds to the server once a minute or so.
Then each month I change that function a bit, rename it, put it somewhere else, ...
I can think of quite a few ways to detect cheats 🙂

What's that method going to do?

this is absolutely nothing for an anti cheat

If I as a new player spawn the most powerful sword, and you don't know how much currency I've earned or whether I've defeated bosses, how are you going to figure out whether I bought it legit or killed the boss

Or what if I change my client ot make my weapon do 10m damage and just kill all monsters and get the good loot?

it would be extremely simple to figure out you can't get that item at your stage in the game?

It would also be simple to figure out you're killing monsters way faster than you should be

I'm not saying I will be able to prevent all cheating

but detecting most basic cheats should be fairly simple

Would it? If your server is not authoritative or you're not sending all user data (which basically means you have to make your server authoritative) then it's not

even if that idea worked, that already is not simple. You're already setting yourself up to have to check every single item, every value, and make sure you put it properly or many false bans will happen

it would be extremely simple to figure out you can't get that item at your stage in the game?
You just said multiplayer trading is a big thing, maybe a friend gave it to me, maybe I just traded a lot

but then I could see you got it from another player 🙂

the server would keep track of everything

no data would be saved on the client

right now (since it's an idle game) my server pre-calculates all combat, that's the thing I want to move to the client

And absolutely nothing stops the cheaters from reverse engineering either your client code that does the sending, or reverse engineering the data your client is sending. Once they know, they can just send whatever they want.

This is what I've said about considering client code and data to all be compromised, it's a losing battle.

true, that's why I would frequently update my cheat detection methods, or change them slightly, it would require a lot of effort for them to keep up
obviously it will be possible, probably even easy for the few who want to put in the effort
but it should keep the total amount of cheaters low?

It only takes 1 cheater to ruin your economy

That really doesn't matter, if you have one cheater selling cheated items, now that item has flooded the economy. Now you are faced with the choice of either tracing all those exchanges of the cheated items (you better have good logging to allow you to trace them, or else you'd just have to remove that item from everyone, even the legit players) and people are going to complain, or you just let that item devalue your entire market.

I know it won't be possible to prevent cheating completely, that's why I started building this server side, but the game is getting too complex to run on UGS C# CCM and I really don't feel like learning how to run a persistant server + that would also bring a new cost and budget is low

not really, if they're cheating that obvious that it ruins the entire economy, then it's also easy to detect

It's not about detection, it's about recovering from the disaster.

and what do you do after you detect it? allow the economy to be fucked or revert everyones hard work that happened after the cheater work

Yeah, and they're going to trade their currency and items to 100s of other players, you can't remove their items as they didn't cheat, nor do they think they bought it from a cheater (in most cases)

I could save the player who found/created the item on the server and reverse all transactions when a cheater is found

or let the legit players keep their stuff, but nerf it by say 20%

as many options as people have to cheat, I have the same options for anti-cheat

yeah it will suck, but so does running everything server side

you are WAY WAY oversimplifying what you can do, you should really go look into articles or just really anything about what current anticheats do

but they would be refunded whatever they paid for the items

You can't just reverse transactions, let's say I did some trading involving the cheated items (which I did not know, I'm just the middleman) and I profited +100 gold, and then I spent it immediately so now I have nothing in possession. How would you possibly reverse the transactions, leave me at -100 gold in my account? The economy is completely messed up regardless.

are there any relevant anti-cheat articles for my type of game? I'd be very interested in reading those

you'd probably want to look into what mmos do, since your game sounds like one. even if its an idle game

But I think we are getting off the true problem at hands here. If your strategy is "server side logic is too expensive so I'm going to instead use client side anti cheat" then I don't think that's an easy way to go.

There are companies selling client side anti cheat solutions and they charge a premium price of those, because it's not easy.

mmos have tons of cheaters and bots though

if you look at a popular game like old school runescape, an example ill use because its a game i played too much, everything is done on the server. you cannot just fake trades or say you have more items because it wouldnt reflect on the server. that doesnt stop people from using bots but at least you cant just hack items or fake trades

so? every game does

and since everyone uses them, every single decent hacker knows how to bypass them

so what's wrong with my game having some too?

I could for example get one of those client side anti-cheat tools, if it's affordable I probably even will

and I could still add my own validations on the server

the difference is you said you wanted some logic client side. this is immediately impossible to prevent cheating now and your game economy will be broken immediately

the cheaters in mmo may abuse game mechanics like broken logic rather than actually just writing "i have 99999999999 gold" which is what your flaws will be

games like wow run their combat client side too not? no way they have servers pre-calculating all the combat?

but that would be extremely easy to detect, my server would know how much gold the player has, if they suddenly get 99999999 more, that's very easy to see

I really don't think you quite grasp the problems of client side anti cheat, it's really not a solution you willingly go into. If you care about integrity, server side is the only solution; only when that's infeasible that client side becomes the last resort and you deal with all the consequences of people eventually getting pass your client side anti cheat.

I'm still saving all data on the server and validating client input

well server side has come to a point where it's infeasible for me

again, you are massively oversimplifying. if its so easy, then what are you even asking about? Just go ahead and implement this extremely easy anti cheat that somehow will encapsulate every single value in your game to see if it made sense to get in that moment.

its infeasible because you overscoped what you want.

i want anticheat
budget is low
10k+ players per month
Something has to go

of course I'm oversimplyfing, I'm not going to completely write down how I would handle it here
I'm aware it's much more complex, but a lot of basic cheats would actually be very easy to detect

for example my game has a stat strength
if a level 1 player suddenly has 1000 strength, they get insta-banned

so do you really think you're gonna be there writing if statements for EVERY single value that could exist in your game? What if some game mechanic bugs out and a player really does get 1000 strength temporarily? Are you going to ban them

yeah so anti-cheat has to go 😐
and I will try to catch as much cheating as possible, I know I won't be able to catch them all

when anti-cheat goes, your 10k+ players per month will be 100 bots per month.

you simply need to scale down, have a player amount feasible for what your server can handle

MMO's have many servers setup, and idk about other games but old school runescape limits each world to 2000 players max

even at 2000 people have completely crashed the server due to the sheer amount of logic that was trying to run.

well my game is not nearly as complex as runescape 😛

I don't know if you have an estimate of how much your server side implementation would cost, but if you care about cost saving, avoid all serverless functions, they do not scale cost wise. A cheap VPS can handle massive amount of requests, magnitudes more than had you do the same with serverless functions.

so from all this I take away that cheating is gonne be really bad and impossible to stop 😣

and probably most importantly that it will ruin my economy

The take away should be you should not rely on client side anti cheat 😄

the game is relatively simple. And really they barely have anticheat

theres just a shitton of things to do in game because its existed for so long but every action is simple, trading is simple, combat is literally point and click

FYI, I have a website that runs on a VPS, and the website in its hayday used to get more 300 million requests per month. How much did the VPS cost? 20 USD per month.

Try 300 million requests on a serverless function and you go bankrupt in a week.

pretty sure UGS CCM (the server I'm using) is serverless

but I don't really know any of these concepts

i highly doubt any unity service will be enough for what you're attempting to make

which is why I don't wanna continue building my game on a server

Oh boy, a good client side anti cheat will cost you way more than 20 USD per month.

well I estimated my monthly cost at €400 for UGS with 10k players per month

no idea what client side anti cheat goes for

Let me put it this way: if a solution is easy to use, that's because they did all the hard work so they can sell to you with a marked up price and profit from it. The easier the product the more they are charging you for premium.

there's also this, but I doubt it will be very effective: https://assetstore.unity.com/packages/tools/utilities/anti-cheat-toolkit-2024-202695

If you want to be cheap, the unfortunate truth is just that you have to do more work yourself.

If you don't want to do work, then your only option is to just pay up.

I'm pretty sure Unity services just resell other cloud platform's solutions like AWS.

probably

but I don't have the time to learn a new server structure atm

maybe for my next game 🙂

there is definitely a lot less work you need to do for anti cheats especially if you just do everything on the server

and at least then you can be confident in what actions a user can do, and that they cant randomly gain benefits unless through broken game logic

even with full server side logic
cheaters can just make bots and still ruin the economy

thats completely unrelated to the talk of anticheat though

well it makes it less of a problem that I won't have good anti-cheat
because I would still have the same issue even if I did have great anti-cheat

this conversation is really helping me btw, really appreciate all the feedback

I don't think "there's no way to prevent all cheating so there's no point in trying" is a good way to approach this. Removing the most outrageous forms of cheating and leaving only the forms of less consequences, is still miles better than not doing anything.

theres a major difference between that and the possibility of 1 guy cheating in items. At least a bot would have to go through the regular game actions to acquire stuff.
But you're bringing this up when we're talking about having client side logic that someone could easily bypass by sending in a different packet

but again, if the cheating is so outrageous, then it's also much easier to detect not?

Yes, but like said above by me and many others, it's not the detection that's problematic, it's dealing with the fallout of a broken economy.

You cannot reverse the damages done between the time cheating happened and the time you fixed it, and expect people not to complain and leave your game.

just to be sure, my anti-cheat logic would still happen on the server, not on the client

only the server would be able to save player data on the server and it would validate it

Yeah I realize that now, thanks to your feedback.

What I can do is prevent the most outrageous types of cheats and that would only leave my economy slightly worse instead of completely broken

validating it is the issue though. this implies the client at any point is directly saying what the values are rather than being told
with an example, runescape has had many instances of people abusing bugs to get a shitton of money or items which was preeetty bad for the game. But for a looong time they've never had to worry about false packets, cheat engine, or anything client side. All logic is done through the server. All bugs are done through broken game logic. If you have anything thats done client side it will be abused by cheaters forever.
People have even cheated in absurd amounts of gold in runescape but did it so slowly that it was never really noticed (and you really cant just notice these things).

They do actually have some client side bugs, involving packets but thats besides the point.
You may want to specify more at what you mean by having logic client side

I'm ok with people cheating to a point where it's very hard for me to actually notice it, it's just something I will have to concede as an indie dev

Your players will not be ok with it though

It would be very hard for them to notice too not?

Like, I hate it, I hate cheating, but I can't stop it

If I could I would, but I just don't have the ability at the moment

Hardly, if you actually expect it to become popular with 10k players, people will notice suspicious things.

Idk, I dont think we're on the same page about what logic you actually want to do client side

How much programming experience do you have outside of Unity? Especially with web backend.

Here's an example: A player kills a monster, the monster drops an item
There's a hidden function in my client that has 1% chance to activate
When it does, it sends a new packet to the server with the monster id and item id + stats
The server then checks if that monster can drop that item

If people are hard abusing cheats that make more powerful items drop, I can detect it this way.

The server also needs to save the items, so it can easily count how many items a person is getting.
If this is way more than it should be, it's also easily detectable.

That does leave the option for cheaters to slowly farm legit items.
Or to go through all my code and find the function and disable it, but then next patch there will be a new function somewhere else.
It won't stop everyone, but it will stop most cheats I believe

That can already be cheated.

10k / month is nothing ...
this is DAILY, not monthly
I just want 10k / month, that's 350 / day

Honestly if you believe that moving the function will have any impact, you should immediately scale down your game.

it can, but it's not extremely simple

Someone can figure out the correct packet to send and bypass your 1% chance completely, and you have no way to tell if it's cheated or just a really lucky player that got it.

No, it's extremely simple.

RE is honestly so much easier than most people think.

RE?

Reverse engineering.

there will be a point where people arent even looking at the code, they can simply see what packets are being sent and just copy it

but then my server would see that player never gets tagged
after a few hours of gameplay that becomes very obvious

we can sit here all day and talk about how easy it is to evade anti-cheat, and I know it is
but it's just as easy to detect the worst cheats and stop them

again, yes there will be people skilled enough to evade most of the detection, but I hope I can limit that to a point where the game is at least playable

ok I didn't think about that, but I'm sure I can think of some way to stop/detect that too

no, you cannot.

All you have to do is to instead of "client decides it rolls the lucky 1% and sends you the packet" you just change it to "client tells server to do the roll, and server sends back if you indeed got that 1% lucky roll or not"

It's a tiny change and prevents a whole host of cheating, and it costs practically nothing for the server to generate a random number.

yeah stuff like that I can and will still do on the server

I'm talking about pre-calculating my entire combat on the server

You might be very surprised how powerful modern computers are, modern CPU runs billions of instructions per second, at this very moment you and I talking, every message has to be encrypted and decrypted multiple times and you certain don't notice anything.

how does that help me if I don't know how to do it?

I used UGS because it's simple, I don't know anything about servers

Like mentioned above, if you have programming experience outside of Unity, I would strongly suggest you to take a stab at it and see for yourself before making the decision to ditch server authoritative. 400 Euro for handling 10k MAU is such a steal, when my own website that serves 300 million requests per month cost only 20 USD.

I think at this point it's just way more benifial for me to release a game that can be cheated than to start learning how to setup servers

I don't even know where to stat looking for an alternative server setup

If you have never worked with a server before, it might feel more complicated than it really is. Your very own computer that you are using right now, can be a server, and your server application is nothing but a console .exe that you double click and run. That's all there is to it.

UGS is non-persistent, so if my game has 50 spells, each spell has to be loaded every single time combat happens
on top of that it needs to load all the items the player has each time, it then needs to write the combat logs somewhere and send them to the client
that's a LOT of loading, calculating and storing for EACH player every few seconds
on a non-persistent server that doen't allow storing anything to memory

if the main goal for you is just to get people to buy the game, sure itll be more beneficial. You'll get a hell of a lot of complaints though later on

if u want a game that people will play for awhile, you've simply overscoped

That's exactly why I tell you to not use serverless functions and just write a regular server application.

Serverless functions are very good at certain things (specifically stateless use cases) which is not what your use case is.

so where do I get started writing my own server app?

what do I use?

I've ran a Node.js server before, like 10 years ago, but I have absoltely no clue how I would make it interact with my Unity game

and that opens up a whole new set of hackers, that can just hack my server

I'd prefer to run a C# server, I've looked into a bit, but didn't understand much

If it's a web server, you can just use UnityWebRequest like you would with any other web server.

Web backend is actually one of the biggest use case of C#/.NET, arguably more than game dev. ASP.NET is what you would use.

If you already made up your mind that you don't or can't write your own server, I'm not here to change it, but that honestly is just an excuse.

is a web server good for my use case?

the combat calculations get pretty intense, there's tons of items/spells to load

Well ChatGPT is pretty intense isn't it, that runs on a web server.

A web server is nothing but an application running on a computer, not any different from Discord.exe that's running on your computer right now.

and how would my game request stuff from the web server?
REST API?

REST is a design pattern

But yes just a regular good old request is fine, especially for an idle game that's not like you need real time messages.

When you type https://google.com into your browser, that's just sending a GET request and waiting for a response from Google's web server.

and how/where would I save player data?
files on the server?
could I keep active players in memory?
or would it be fairly simple to connect UGS Player Data to my own web server? (I don't think it is)

Again your web server is nothing but an application running on a computer. How does notepad.exe save data? By writing to your hard drive. You are not forced to use UGS, you can just literally File.WriteAllText() on your server.

and then let's say I manage to set all of this up
my server can handle 500 players at the same time
what happens when I get 600-700 players at the same time and my server crashes?
I'd need to program it to be scalable, but have no clue how to do that

yeah, but what happens when a player click "start combat" and my server takes 3 minutes to respond because it needs to load data from the HD first?

I literally do not know anything about running/managing servers and from the research I have done it all seems extremely complicated and hard to manage
Which is why people use services like UGS

Well it seems to me that you have already rejected the idea of writing your own server so you are just listing potential problems, and as I said I'm not here to change your mind, if you don't want to write your own server that's completely fine and I have nothing else to offer.

No I'm actually considering learning how to do it, I just have tons of questions

And I did look into this months back before choosing to go with UGS, but I just couldn't figure it out

Every time I look something up, it just answers with 3 more terms I don't understand

Would you be interested in helping me set up the basics?

If you have specific questions, you can ask and I can try to answer, but that's like asking "can you help me write a game" it's a field on its own.

If you want some basic idea of writing your own web server before deciding if you want to commit to the approach, you can just write your own and run locally on the same computer as the Unity editor, and connect to it. You don't even need to do all the complex stuffs, a very simple "when player clicks a button in the Unity game, it sends a request to the server, and server responds with result of a coin toss, and the game displays the result" should give you an idea of what it's like.

I think I have a pretty solid grasp on how it would work, except for how to make it scalable

But how do I get started with making my server in C#, if you even do that in C#?
How do I make a .exe I can run on my PC?

What I'm asking is, what do I google to get started 😛

"C# console app"

and let's say I don't want to run it on my PC, where can I host that server?

I like Combell in Belgium, but they seem fairly expensive

and probably just resell amazon stuff anyway

I've tried setting up an amazon server in the past and I remember it being insanely hard

Eh, I don't use AWS but I do use Oracle Cloud (the free tiers host some of my other projects that get like ~50 million requests per month, I'm paying them 0 penny), from my experience it's just clicking a few buttons in their panel and it just creates the server for you, and you SSH into it and work with it like any other computer.

There are other VPS sellers like DigitalOcean and what not and you can find a ton of them online.

"you SSH into it" that's exactly what makes setting up a server so hard for people like me
by accident I do know what SSH is and how it works, I also remember it's not all that easy to set-up and the guides just slap around more terms that I don't understand

But honestly deployment is the last step you need to worry about, at worst you waste a day fiddling with a server.

like every "beginner" guide assumes you're an expert instead of actually explaining how to do something lol

actually it's the first step you need to worry about, because a server running on my PC won't behave exactly the same as a server running on another PC and it might completely break everything

so I'd rather just deploy it on the server I'm going to use from the start, especially if it's just $20 / month

No

You don't develop on your production machine, you develop locally and once it's done you deploy it to your production machine.

The only time it matters is if you have some things that might not support prod machine, but for a run of the mill web backend that's rarely ever an issue. Everything is cross platform nowadays.

so I'm looking at this: https://www.oracle.com/be/cloud/free/
they have 70 different options, what do I need?

alright, so I just make a C# console app and run it on my Windows 11 PC? That will get me started?

Yes, just ignore deployment completely.

Do this and see how you like it then decide if you want to go forward.

Can I add you here on Discord? I'll try not to bother you with too many dumb questions and I promise I will always research what I can before asking 🙂

I don't DM, and it's better to just ask the question not to a specific person, so everyone can answer.

Web backend isn't Unity related either, you might want to join the C# Discord (if you are going to go with C#) and there are tons of backend folks there that are way better than I am.

console app doesn't seem to offer anything persistent, is that really what I need?

I mean, currently you don't even know how to make a regular C# application that produces a .exe that you can just double click and run, so I think it's a good first step to at least know how to work with C# outside of Unity context.

well now I do know how to make a console app .exe and that's not what I need at all